Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
17-05-2021 19:02
Static task
static1
Behavioral task
behavioral1
Sample
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe
Resource
win7v20210408
0 signatures
0 seconds
General
-
Target
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe
-
Size
697KB
-
MD5
0be6ab4816802522b78b028573e9319a
-
SHA1
a237b8fe0d498a6db268e09122a362738505f134
-
SHA256
11c493b1c2a4f8f2c9c61786ee882b63466fcb07126b0d98a2ed2a3836ba36e7
-
SHA512
9cd99fac517c5193217211ed74264a24285ed73ed0864391fa0a2db0e9d2ab129a52a39a629f5a216a6e0613effff70c8f72a0bfdaa9b2ae11f873804b57e13a
Malware Config
Signatures
-
Taurus Stealer Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1192-65-0x000000000041EB40-mapping.dmp family_taurus_stealer behavioral1/memory/1192-64-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer behavioral1/memory/1192-67-0x0000000000400000-0x000000000043A000-memory.dmp family_taurus_stealer -
Suspicious use of SetThreadContext 1 IoCs
Processes:
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exedescription pid process target process PID 1304 set thread context of 1192 1304 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exedescription pid process Token: SeDebugPrivilege 1304 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exedescription pid process target process PID 1304 wrote to memory of 1192 1304 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1304 wrote to memory of 1192 1304 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1304 wrote to memory of 1192 1304 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1304 wrote to memory of 1192 1304 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1304 wrote to memory of 1192 1304 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1304 wrote to memory of 1192 1304 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1304 wrote to memory of 1192 1304 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1304 wrote to memory of 1192 1304 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1304 wrote to memory of 1192 1304 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe PID 1304 wrote to memory of 1192 1304 11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe"C:\Users\Admin\AppData\Local\Temp\11C493B1C2A4F8F2C9C61786EE882B63466FCB07126B0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe2⤵PID:1192